b"OFFICE OF INSPECTOR GENERAL\n                    Audit Report\n\nInspection of the Railroad Retirement Board\xe2\x80\x99s\n      Financial Management System\xe2\x80\x99s\n      Continuous Monitoring Program\n\n       This abstract summarizes the results of the subject audit. The\n       full report includes information protected from disclosure and\n       has been designated for limited distribution pursuant to\n       5 U.S.C. \xc2\xa7 552\n\n\n\n\n                     Report No. 11-11\n                    September 28, 2011\n\n\n\n\n  RAILROAD RETIREMENT BOARD\n\x0c                              REPORT ABSTRACT\n Inspection of the Railroad Retirement Board's Financial Management System's\n                         Continuous Monitoring Program\n\n\nThe Office of Inspector General for the Railroad Retirement Board (RRB) conducted an\ninspection to evaluate the activities conducted at the RRB for the continuous monitoring\nof the Financial Management system to determine adherence with existing policy,\nprocedures, guidance, and standards. This inspection directly supports the Office of\nInspector General\xe2\x80\x99s mandated Federal Information Security Management Act of 2002\nevaluation.\n\nThe objective of the continuous monitoring program is to determine if the set of\ndeployed security controls continue to be effective over time in light of the inevitable\nchanges that occur. Continuous monitoring programs provide organizations with an\neffective mechanism to update certain security documents. In fiscal year 2010, the\nRRB hired a contractor to perform continuous monitoring testing of the controls over the\nFinancial Management system.\n\nIn a separately issued Restricted Distribution report, we communicated that the RRB\xe2\x80\x99s\ncontinuous monitoring process does not fully comply with existing policy, procedures,\nguidance, and standards. As a result, the RRB\xe2\x80\x99s significant deficiency in internal control\nover the certification and accreditation process remains in effect because of an\nineffective review process for contractor deliverables. We made five detailed\nrecommendations to RRB management for improvement in:\n\n   \xe2\x80\xa2   controls over the review process of the continuous monitoring deliverables;\n   \xe2\x80\xa2   the overall planning process for the continuous monitoring program; and\n   \xe2\x80\xa2   the Bureau of Fiscal Operations\xe2\x80\x99 portion of the RRB\xe2\x80\x99s agency-wide plan of action\n       and milestones.\n\nAgency Management has agreed to take corrective actions for all recommendations.\n\x0c"